From 3b3081b7600ccc448cd6a83f090fab79411697da Mon Sep 17 00:00:00 2001
From: Chris Yeoh <cyeoh@au1.ibm.com>
Date: Wed, 24 Jul 2013 20:45:31 +0930
Subject: [PATCH] Adds NoAuthMiddleware for V3

Adds a V3 version of NoAuthMiddleware which returns a url which
unlike the V2 version does not include the tenant_id in the url.

Also fixes bug with the V2 version where it would create broken
urls on Windows because os.path.join was used

Partially implements blueprint v3-api-remove-project-id

DocImpact

Change-Id: I7ecffea52c3662344ac694997bb08a16506abbbd
---
 etc/nova/api-paste.ini                        |  5 +-
 nova/api/openstack/auth.py                    | 28 ++++++--
 .../api/openstack/compute/test_v3_auth.py     | 64 +++++++++++++++++++
 nova/tests/api/openstack/fakes.py             |  2 +-
 4 files changed, 91 insertions(+), 8 deletions(-)
 create mode 100644 nova/tests/api/openstack/compute/test_v3_auth.py

diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini
index 1bd26143fee1..ff84374ade83 100644
--- a/etc/nova/api-paste.ini
+++ b/etc/nova/api-paste.ini
@@ -71,7 +71,7 @@ keystone_nolimit = faultwrap sizelimit authtoken keystonecontext osapi_compute_a
 
 [composite:openstack_compute_api_v3]
 use = call:nova.api.auth:pipeline_factory
-noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v3
+noauth = faultwrap sizelimit noauth_v3 ratelimit osapi_compute_app_v3
 keystone = faultwrap sizelimit authtoken keystonecontext ratelimit osapi_compute_app_v3
 keystone_nolimit = faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v3
 
@@ -81,6 +81,9 @@ paste.filter_factory = nova.api.openstack:FaultWrapper.factory
 [filter:noauth]
 paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory
 
+[filter:noauth_v3]
+paste.filter_factory = nova.api.openstack.auth:NoAuthMiddlewareV3.factory
+
 [filter:ratelimit]
 paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
 
diff --git a/nova/api/openstack/auth.py b/nova/api/openstack/auth.py
index 1fab3e83db27..fc3c5a398da7 100644
--- a/nova/api/openstack/auth.py
+++ b/nova/api/openstack/auth.py
@@ -1,5 +1,6 @@
 # vim: tabstop=4 shiftwidth=4 softtabstop=4
 
+# Copyright 2013 IBM Corp.
 # Copyright 2010 OpenStack Foundation
 # All Rights Reserved.
 #
@@ -15,8 +16,6 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
-import os
-
 from oslo.config import cfg
 import webob.dec
 import webob.exc
@@ -29,15 +28,17 @@ CONF = cfg.CONF
 CONF.import_opt('use_forwarded_for', 'nova.api.auth')
 
 
-class NoAuthMiddleware(base_wsgi.Middleware):
+class NoAuthMiddlewareBase(base_wsgi.Middleware):
     """Return a fake token if one isn't specified."""
 
-    @webob.dec.wsgify(RequestClass=wsgi.Request)
-    def __call__(self, req):
+    def base_call(self, req, project_id_in_path):
         if 'X-Auth-Token' not in req.headers:
             user_id = req.headers.get('X-Auth-User', 'admin')
             project_id = req.headers.get('X-Auth-Project-Id', 'admin')
-            os_url = os.path.join(req.url, project_id)
+            if project_id_in_path:
+                os_url = '/'.join([req.url.rstrip('/'), project_id])
+            else:
+                os_url = req.url.rstrip('/')
             res = webob.Response()
             # NOTE(vish): This is expecting and returning Auth(1.1), whereas
             #             keystone uses 2.0 auth.  We should probably allow
@@ -61,3 +62,18 @@ class NoAuthMiddleware(base_wsgi.Middleware):
 
         req.environ['nova.context'] = ctx
         return self.application
+
+
+class NoAuthMiddleware(NoAuthMiddlewareBase):
+    """Return a fake token if one isn't specified."""
+    @webob.dec.wsgify(RequestClass=wsgi.Request)
+    def __call__(self, req):
+        return self.base_call(req, True)
+
+
+class NoAuthMiddlewareV3(NoAuthMiddlewareBase):
+    """Return a fake token if one isn't specified."""
+
+    @webob.dec.wsgify(RequestClass=wsgi.Request)
+    def __call__(self, req):
+        return self.base_call(req, False)
diff --git a/nova/tests/api/openstack/compute/test_v3_auth.py b/nova/tests/api/openstack/compute/test_v3_auth.py
new file mode 100644
index 000000000000..10fce50145a7
--- /dev/null
+++ b/nova/tests/api/openstack/compute/test_v3_auth.py
@@ -0,0 +1,64 @@
+# vim: tabstop=4 shiftwidth=4 softtabstop=4
+
+# Copyright 2013 IBM Corp.
+# Copyright 2010 OpenStack Foundation
+# All Rights Reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+import webob
+import webob.dec
+
+from nova import context
+from nova import test
+from nova.tests.api.openstack import fakes
+
+
+class TestNoAuthMiddlewareV3(test.TestCase):
+
+    def setUp(self):
+        super(TestNoAuthMiddlewareV3, self).setUp()
+        self.stubs.Set(context, 'RequestContext', fakes.FakeRequestContext)
+        fakes.stub_out_rate_limiting(self.stubs)
+        fakes.stub_out_networking(self.stubs)
+
+    def test_authorize_user(self):
+        req = webob.Request.blank('/v3')
+        req.headers['X-Auth-User'] = 'user1'
+        req.headers['X-Auth-Key'] = 'user1_key'
+        req.headers['X-Auth-Project-Id'] = 'user1_project'
+        result = req.get_response(fakes.wsgi_app_v3(use_no_auth=True))
+        self.assertEqual(result.status, '204 No Content')
+        self.assertEqual(result.headers['X-Server-Management-Url'],
+            "http://localhost/v3")
+
+    def test_authorize_user_trailing_slash(self):
+        #make sure it works with trailing slash on the request
+        req = webob.Request.blank('/v3/')
+        req.headers['X-Auth-User'] = 'user1'
+        req.headers['X-Auth-Key'] = 'user1_key'
+        req.headers['X-Auth-Project-Id'] = 'user1_project'
+        result = req.get_response(fakes.wsgi_app_v3(use_no_auth=True))
+        self.assertEqual(result.status, '204 No Content')
+        self.assertEqual(result.headers['X-Server-Management-Url'],
+            "http://localhost/v3")
+
+    def test_auth_token_no_empty_headers(self):
+        req = webob.Request.blank('/v3')
+        req.headers['X-Auth-User'] = 'user1'
+        req.headers['X-Auth-Key'] = 'user1_key'
+        req.headers['X-Auth-Project-Id'] = 'user1_project'
+        result = req.get_response(fakes.wsgi_app_v3(use_no_auth=True))
+        self.assertEqual(result.status, '204 No Content')
+        self.assertFalse('X-CDN-Management-Url' in result.headers)
+        self.assertFalse('X-Storage-Url' in result.headers)
diff --git a/nova/tests/api/openstack/fakes.py b/nova/tests/api/openstack/fakes.py
index 96c27d5503a1..f4bf932be9b5 100644
--- a/nova/tests/api/openstack/fakes.py
+++ b/nova/tests/api/openstack/fakes.py
@@ -106,7 +106,7 @@ def wsgi_app_v3(inner_app_v3=None, fake_auth_context=None,
         inner_app_v3 = compute.APIRouterV3(init_only)
 
     if use_no_auth:
-        api_v3 = openstack_api.FaultWrapper(auth.NoAuthMiddleware(
+        api_v3 = openstack_api.FaultWrapper(auth.NoAuthMiddlewareV3(
               limits.RateLimitingMiddleware(inner_app_v3)))
     else:
         if fake_auth_context is not None: